Well, good morning, everyone. Welcome to DEF CON again. We're glad to see you all up this
morning. And my name is Mark Tobias. This is Tobias Blues-Manis, my partner. And hopefully
they'll get our audio problems dealt with. And our ‑‑ hey, okay. Okay. So we got
video on both screens? Right. No teleprompter. But the president is not here either.
So Toby and I work for security labs, which is in our office. And we work for a number
of major lock companies in the world. We have a team that analyzes mainly high security
locks with some consumer‑level products as well. For security vulnerabilities, mainly
for covert entry. So a few years ago at DEF CON, we talked about a number of different
consumer‑level locks, but not really in detail. And as a result of that, we ended
up filing a complaint with one of the standards organizations about the lock we're going to
talk about today. And we figured a couple years would go by, some things would occur,
maybe the problems would be remedied, but they weren't.
So today ‑‑
Okay.
So today we're ‑‑ now the monitor went away here, but I guess we're okay.
Okay.
Yeah.
So today we're going to talk about one of the most popular consumer‑level
mechanical cylinders in the United States. And ‑‑ and the problems, the design problems
that we found. How many of you guys have this lock on your doors?
Ooh.
So everybody knows what this is.
Okay.
Yeah.
So this is probably in the United States, there's really two major consumer‑level brands
in the United States. This is one of them. And they're in every DIY store, hardware store.
And a lot of folks believe that these are really secure. And in many ways they are.
The problem is, as we'll point out to you, in critical ways, they're not. They're not.
So we're going to go through ‑‑ we've done a pretty detailed slide presentation.
And with a lot of graphics and animation that we hope you guys enjoy to detail the problems.
And we recognize that a lot of folks can't afford high‑security cylinders that are
$7,500, $150 a piece. We do understand that. And I guess some locks is better than no locks
on your door. But ‑‑
Okay.
But there's also a false sense of security. That these kind of locks provide a higher
level of security than they do. And that's also enhanced by packaging and marketing statements
by the manufacturers, especially with regard to the Builders Hardware Manufacturers Association
standard for ‑‑ it's a consumer commercial‑level standard that has much more to do with endurance
and durability than security.
And that's the case in this lock.
So Kwik Sets are really easy to understand. Today we're going to talk about their smart
key versus conventional pin tumbler locks and a number of ways that we've determined
to open them very rapidly and to present some serious vulnerabilities.
Now you'll notice that the lock on the left‑hand side of the screen, that's a smart key because
it's got a little slot to the left of the keyway. That means that it's a reprogrammable lock.
So what we're going to do is begin this morning letting you listen to a couple pieces of audio.
We called customer service repeatedly to ask them how secure their locks were as if we
were going to buy some. And we wanted to set the stage because this ‑‑ either
these folks aren't trained properly or they're making statements that they shouldn't be making.
So either way, we thought you would enjoy the questions. These are about two‑minute
clips each. And nothing's been edited out that was relevant. Only the chit‑chat between
us. But these ‑‑ I tried to edit out to the relevant statements.
So this first one was in June of this year with Brian.
Kwik Set, this is Brian. Can I help you?
Say a couple questions on smart key.
Okay.
So my only concern is, is Kwik Set comfortable?
And basically debunk this that there's no way to stick a screwdriver, you know, just
a common tool, into the lock and open it.
No, that would be a negative. I mean, if it was that easy to pick a Kwik Set lock,
they would be having us, you know, do recalls. Okay, if this customer's got this unit, get
a call tag, have a prepaid label sent out and send that back to our quality control.
There's nothing like that. It's business as usual.
Is there any ‑‑ are you guys aware, have been trained, any tools out there that will
open these? Or is this just all nonsense?
No, without the actual key for the unit itself, no.
You can't open it.
No.
So as far as ‑‑ just so I can tell my boss, as far as Kwik Set is concerned, other
than drilling these, if you don't have the key, you're not going to get in.
No.
And that's the bottom line.
Sticking anything foreign inside of the keyway is just going to make it that much harder
to open up.
Okay. So basically what you're telling me is it isn't going to happen.
You can sabotage the keyway, which will ‑‑
Yeah, but ‑‑
Okay. So that was Brian. Okay. So you're starting to get the picture. So this is Satima.
How can I help you?
Are you tech support?
Yes, ma'am.
Ma'am, we're looking at buying a large amount of your smart key cylinders.
Mm‑hmm.
I have some questions.
Sure. Go ahead.
Are you technical?
Yes.
Oh, okay. How about forced entry? How difficult are they? Like, the old locks, you could,
like, take a screwdriver and put a lot of pressure on them.
Yeah, same thing with these. I mean, you can line up the springs. That's what the
screwdriver would do, right? Force the springs to align and open the lock. With these ones,
you can't even put a flathead screwdriver in there.
You can't?
You can't. No.
Okay.
Because they're spring ‑‑ there's racks, we call them.
Okay.
They're coming from up and down, you know, up and down direction.
Okay.
Not just up.
Okay. So this stuff on the Internet is not true, that you can stick a screwdriver in
them and open them?
No. No. We were aware of that video. And, you know, we found out about it. But they
did something else before they showed that video. That's what it was. I believe that's
what I heard, that it was ‑‑ they had to do something else to the cylinder. And
then they recorded the video with just using a flathead screwdriver and opening it. That's
not how it works.
So if somebody walks up to a lock on one of our apartments, unless they can take that
lock apart, you're telling me they can't open it without the right tools.
That's correct. Right.
Is there any quick way of forcing these open?
No.
That a burglar could do, like, in 30 seconds, you know, 15 seconds?
No.
Is there anything that you guys have been trained on or aware of?
Oh, no. No, no, no. Nothing like that. There's no tool that you can just put in the cylinder
and pop it open.
There isn't?
There's no emergency key that you can ‑‑ or we send you that will open it. Nothing
like that.
What does it say with all ‑‑ I mean, how long have you been with Kwikset dealing
with these?
Four years.
Let's just take a 4‑inch or a 6‑inch screwdriver.
Okay.
Which everybody has in their kitchen drawer.
Uh‑huh.
Uh‑huh.
And you stick it in the lock and you take a pair of pliers or a vice grip and you turn
it. Can you open the lock?
No.
Of course.
What about sticking a wire through the ‑‑ where the key goes in or any other
way?
Now, don't jump ahead of yourself.
No.
There's no way.
You can't put up a wire or anything like that.
You cannot?
No.
You cannot.
Okay.
So you wouldn't worry about putting these to protect valuables?
You know, to protect your house or your apartment?
Not at all.
Okay.
So that's what the public is told if you call in and want to know if these locks are
secure.
So unfortunately, and I don't think there's any malice on the part of their employees,
they just don't know.
They have not been educated.
There was plenty of stuff on the net a couple years ago that they referred to.
And I just don't think they know or they've been told not to say it.
We don't know.
So the reality is, as we can see from the show of hands, there's millions of these
locks used in America, homes, apartments, businesses.
They're inexpensive.
The cylinders run $20 to $30, maybe $40 a piece.
They have pin tumbler models and they have smart key models.
They have deadbolts and they also have electronic cylinders.
Okay.
So it is one of the most popular locks in America.
And they've been in business actually for about 60 years.
And again, they have a very diversified product line.
These are some of their distribution channels, as you recognize, Home Depots, Lowe's, Ace
Hardware, lots of folks are carrying these locks.
And mainly they're sold through DIY channels, the do-it-yourself channels rather than the
locksmiths.
A lot of locksmiths actually don't care for these cylinders because it circumvents their
revenue and they're low quality locks.
And this is a shot, I think, from Home Depot.
And they're very, very prevalent.
They've got great marketing.
They're in residential and apartment facilities.
So Kwikset, Wiser, Baldwin, the basics.
Toby?
No.
Keep going.
All right.
So we're talking about pin tumbler locks, which is their older version, and smart key.
Smart key will show you the difference.
In some ways it is a very clever lock.
The pin tumbler locks they sell are five or six pin.
The smart key is five pin.
The smart key, there's some attributes that the pin tumbler locks don't have as far as
security.
The pin tumbler locks, if some of you guys were around several years ago, we had a little
11-year-old.
She's probably in college now.
But she became a YouTube star.
A little girl in one minute figured out how to open these locks.
Whack, whack, they're open.
The problem is they all have the same key way.
There's no duplication protection.
There's no key control protection.
These are definitely not for high security installations.
They're mainly residential and apartments.
So Kwikset history, as I said, they've been around about 60 years.
They're very easily compromised.
And the smart key actually was introduced around 2008.
But probably a lot of you folks still have pin tumbler locks.
You probably wouldn't know the difference unless you look at the little slot.
The right-hand photograph, the little slot to the left of the key way, that indicates
Kwikset.
But it's the same key that will open these locks.
So here's the difference.
On the left is a pin tumbler.
It's a conventional lock with two pins and a spring in each chamber.
On the right-hand side is smart key.
It's much more complicated design.
But same key will open it.
Yeah.
And actually ‑‑ you can see also that what they share is the same key.
What Kwikset did with this design.
Trying to use the same key for their locks.
So you have one that is a pin tumbler design and the other one that you can reprogram and
supposedly be more secure.
You cannot bump.
You cannot pick.
Pick open the lock.
You can probably ‑‑ other attacks like impression in the key, you cannot do that
with Kwikset.
But on the tradeoff, we find ways more easy.
Okay.
So pin tumbler design, they're essentially not secure unless they're a high security
lock with a number of added on attributes.
Pin tumbler locks essentially in this category are easy to pick, easy to bump open, easy
to impression.
They're easy to mechanically bypass.
They can be master keyed.
And it's also fairly easy to determine what the top level master key is.
And there's limited number of combinations.
And these locks are fairly low tolerance locks.
So there are many fewer keys that in the universal keys that will open these locks.
So the pin tumbler lock ‑‑ go ahead.
Okay.
So we're going to go first how a pin tumbler cylinder works.
In this case we have a Kwikset cylinder.
This is what you see from the outside.
Okay.
And the parts ‑‑ we have a shell that is the outside portion, the plug, and the
key slot where you put the key.
That's what mainly more people know about the lock.
So what is inside is a pin stack.
You have a spring and a series of pin tumblers.
And you have a shear line.
That shear line is where you have to move the pin stack in order to create ‑‑ and,
and ‑‑ A clear surface.
Separate those pins in order for the lock to turn.
Okay.
So that's the basics of a pin tumbler.
You have to get that pin on shear line depending on the height of the key so you can unlock
the cylinder.
Now that's one pin on a regular pin tumbler.
You have more than one pin.
You have five.
In this case five pins.
Different heights on the bottom pin, which is the portion that fits the key.
So when you put the key, you see all the bottom pins line up with the cylinder.
So that cylinder can turn if the matching pins match the key.
So if you put a wrong key, what you have is some pins either extend to the block.
Or some pin from the top blocking the rotation of that pin.
It's a very simple design.
Has been for many, many years.
And most manufacturers work around this design, adding side bars, third levels of locking
devices.
But it's the most common element.
Are we okay?
Okay.
Okay.
So that's what is inside on a regular pin tumbler.
We said the smart key is not a pin tumbler lock.
If you look inside, there's very different components that will make that lock be able
to reprogram the lock to any specific key.
And to make it more secure.
To make it more secure against bumping and peeking and some sort of impressioning with
techniques.
Okay.
So this is what the inside of a smart key looks like.
And we'll blow this up in just a minute.
But this is a side bar based lock.
Which means that it's a different locking mechanism that keeps the plug where you stick
the key into from turning.
And this design actually was developed in 1978.
Okay.
The original design here was in over a million hotel rooms because it was the first real
programmable lock.
Very, very clever.
And then it was improved by a company in Italy called Rialda.
And then Kwikset took the Rialda design and modified it for the consumer market in the
United States.
So attributes of smart key.
It's only a five pin lock.
And when we say pins, they're really not pins.
They're sliders.
And there's a really big difference.
Pins mechanically and physically are secure against torque and forced attack.
The sliders in these locks are not quite so secure.
In this lock, there's one side bar that really provides the entire security of this lock.
They are extremely pick resistant.
There's an underwriters laboratory.
There's an underwriters laboratory.
Standard 437.
Which defines picking for commercial and high security locks.
Kwikset actually meets the standard.
That means these cannot be picked in under ten minutes.
They are very, very pick resistant.
And they also cannot be bumped.
Period.
Because there's no pin tumblers.
These are sliders.
And so there's nothing to bump open.
Which in a way.
As we refer to this lock.
It's one of the most secure, insecure locks in America.
Now obviously those are opposite ends of the spectrum.
But that's what it is.
Because from the picking standpoint.
From the impressioning standpoint.
From the bumping standpoint.
You're essentially not going to open them.
The problem is that's trumped by other ways that we'll show you.
The other really cool thing.
How many of you guys have smart key versus the old pin tumblers?
Or do you know?
Oh, so not that many.
Okay.
Well, smart key, they're actually backwards compatible.
Smart key, you can instantly reprogram them without a locksmith.
You stick the correct key into the lock.
Turn it about 30 degrees.
Pull it out.
Stick a new key in.
Turn it back to 12 o'clock.
That lock is reprogrammed with a new combination.
It is a very, very clever and desirable option in the marketplace.
But there's a lot of security tradeoffs to get there.
No, definitely.
We have to also understand that the space that they have to work is always the same.
So to put all these different attributes in a lock, it becomes a very difficult task
to do.
Okay.
So and the other attributes, it has one primary keyway everywhere, which is really a problem
because it's easy to make keys or duplicate keys.
There is no key control.
Now, they make a special deadbolt lock for master keying, limited master keying for like
apartment houses that we'll show you.
And they think that that key cannot be duplicated easily.
We'll show you how that happens.
Okay.
Toby, you want to do this one?
Yeah.
Okay.
So we show you at the beginning how a ping tumbler lock works.
And this is the smart key.
The first key is the smart key.
The first thing that you notice from the outside is that little slot on the side.
That's to change the combination when you follow the right procedure.
So we told you that on the inside, it's totally different.
This lock is based on a sidebar design.
You see a pin.
You see a slider next to the pin and the sidebar.
And the sidebar is in purple.
Yeah.
So when we put torque on that cylinder, the sidebar tries to retract, but it's blocked
by that slider.
So in order for that lock to open, the pin has to move the slider to the right height
so the sidebar can enter the groove of the slider and the lock can be opened.
So that's the principle of this smart key.
As far as the slider sidebar combination.
So the way that they can make the different combinations is the way that they fit the
pin to the slider with these different channels.
The slider is at the same position.
The sidebar at the same position.
But the pin configuration, pin slider changes.
Okay.
So it's different depths from one through six.
Yeah.
The relationship between the pin tumbler on the right hand side and the yellow slider,
those separate in reprogramming mode so that they index to one of the six different little
teeth on the slider.
And then they bring it back together.
That's how the combination is changed in this lock.
Go ahead, Toby.
And it's the same thing.
It's not only one pin slider combination.
Okay.
We have in total for the smart key, we have five pins and five sliders.
So the sliders are the ones that sets the combination inside the smart key cylinder.
So when you put the key and the key is set to that combination, you see the red dot?
That's where the sidebar drops.
Okay.
So when the sidebar drops at that combination, that lock can be opened.
And the pins just follow the combination of the key.
In this case, we have 26341, which is the individual depth of each key.
So if we want to rekey the lock, we have to put the working key into the lock.
They have a special tool that it will move a block in.
Like a hub that houses all those sliders.
And what happens is that the sliders separate from the pins.
So now we can remove the pins, but the pins, the sliders are at the same shear line with
the ‑‑ Yeah, they're locked into position.
So they can't go anywhere until we stick another key in.
So we can put another key.
That key sets to the combination of the key.
And then we have to bring all those sliders back to engage again to the sliders, the pins.
So we have a new key working for this lock.
So it's a very clever design.
They have a ball bearing to prevent also ‑‑ okay.
So these are the components that ‑‑ let's see.
Okay.
So this shows the five‑pin tumblers that the key responds to.
These are locked together to make this lock work.
And the two bottom pieces are the side bars that actually stop that plug from turning.
And this is what the plug looks like.
Yeah.
Their pins are like hallows.
So you can put the pins.
They have a cover.
So you see the tabs where the sliders goes.
And you have that hub.
That puts the slider together with the side bar.
Okay.
So now let's talk about master key systems before we get to the attacks.
So in conventional master key systems and pin tumbler locks, we have one key that can
open many locks.
And there's potentially many different levels of keying.
Because we have an extra pin in each chamber.
And that creates a whole bunch of different shear lines.
So conventional locks are expensive to rekey.
You have to have a locksmith do it.
And there's also what we call incidental master keys.
There's a lot of keys that will open a master keyed cylinder that really aren't intended.
And that's a problem.
And that's a problem.
Well, actually, what happened with master key system, those unintended keys, they tried
to use those to work in the system.
Okay.
So it depends.
Okay.
So how the people who's doing the master key, but you have more than two keys working
on the system.
We're going to show pretty much how a master key system works.
And as we pointed out many years ago, conventional master key systems, if they're not high security,
they can be also easily compromised, but in a different way so we can figure out what
the top level master key is in the system.
So remember the pin tumbler lock and then it has one pin, the spring, top pin, bottom
pin.
Now we have another pin.
We have another pin between the top and the bottom.
So what happened that we are ‑‑ that we are creating two shear lines.
You see?
Right there we can split the pin and the lock opens.
We have one depth for that pin.
But it's also another shear line.
So we have two depths that opens in that specific chamber.
But again, this is not ‑‑ a lock is not one pin.
So we ‑‑ for this example.
We put another split pin.
We put a master ‑‑ let's call it a master wafer.
Middle pin.
And the rest we left the pins like that.
So we have a key that makes the shear line.
So that key will open the cylinder.
We also have a B key that can open that cylinder.
So those were the two intended keys when we are making a master key system.
And we have to understand also that when people say I have a master key, there's no such thing
that as a master key for a GM car, you have to set a master key system.
In a pin tumbler lock when somebody says I have a master key, the system is set to work
with this key.
So we have to set the master wafers in order to set the system to open different locks.
So the problem is now that we have two unintended keys, key C and key B, that will also open
that lock.
And if we add more master wafers, that number is going to increase.
It's an exponential number.
And in some cases, depending on the person who is doing the job.
They can put even more master wafers.
And that creates many, many coincidental keys.
And they're not secure.
And it can also make the lock a lot easier to pick.
The other problem with Kwikset, for example, is the key way is so common and they have
so many different individual keys that they can use that probably your home key, if you
have a commercial facility that has been rekeyed.
And it has a master key system, it's potentially that one of your keys can open one or more
of those locks.
Okay.
So Kwikset came up with what they call key control, which is actually ‑‑ it's basically
a one‑level master key system.
There's two cores in one cylinder.
It's actually a clever system for apartment houses where you only need one level of master
keys.
There's two separate key ways supposedly that are secure that one won't go into the
other.
So the apartment user, the apartment tenant has one key, their change key, and the management
has a key that will open the other core in the lock.
It's actually very clever.
No locksmith is required.
You can instantly change your master key systems.
There are 46,000 theoretical combinations.
They're good for a facility.
There are vulnerabilities that need a very limited kind of system.
So actually, it's a very clever system, however, it's got the same security vulnerabilities
as the single lock.
And again, they can be instantly reprogrammed.
And you do not have the cross key problem in the Kwikset system that you have on conventional
master key systems.
It doesn't exist.
So the problem is they can also be compromised in 15 seconds.
So the problem is they can also be compromised in 15 seconds.
So security, what you get is what you pay for.
Does anybody expect a $20 to $30 lock, $40 lock, to actually be secure?
And that's the question.
And again, we understand that a lot of folks can't afford high security locks.
But we also believe that the public has a right to understand so they can make the decision
knowingly and intelligently whether they'll accept the risk.
So as we say, there's millions of facilities.
And there's a false sense of security as we talked about between the BHMA standard that
says this is the highest grade of security for residential and the anti-picking, anti-bumping.
So we're going to go through and as you heard the tech reps at Kwikset say, there's no way
to get into these locks if you don't have the key or you've got to drill them and destroy
them.
Okay.
So smart key design issues.
The problem is with the side bar and the sliders.
There's only one layer of security.
And our problem is these little sliders that you see, they're very fragile.
And there's also maintenance problems and programmability problems and low tolerance
with the lock.
So we're ‑‑ and the real problem is we're going to show you in a minute, you can apply
torque to these plugs and open them.
So here's the attack method.
The methodology that we came up with.
Try out keys, wire through the key way, visually reading the side bar and the slider positions,
torque the plug, replicating key control and decoding of the master key.
Other than that, they're very, very secure locks.
Okay.
So first of all, try out keys.
Probably most of you guys aren't old enough to remember in the 60s we had 64 keys that
would open all General Motors cars.
64.
Because we split the difference, we exploited the tolerance in the locks.
You know, I'm talking that there is no such thing as a master key system for GMs and you
say that ‑‑ Well, they're not master key.
They're try out keys.
You jiggle them in the key way.
Okay.
Sometimes they would open most of the time.
But what you're doing is cutting the tolerance in half.
And the same thing in quick set.
So basically with six depths in a quick set.
Okay.
Most of the time we can make three depths equal six depths.
So here is a graphic.
The six depths on a quick set key, one, two, three, four, five, six cuts.
This is a depth increment key of one, one and a half and two, three, three and a half
and four, five, five and a half and six.
We didn't do this.
This is something that we test on the smart key.
This is an old, old, old type of activity.
We try to split the difference between one cut and the other one.
Because the tolerances ‑‑ you need tolerances for this lock to work.
Yeah.
So the next problem has always been their problem and it's called the tailpiece design.
And this is the linkage when you insert the key into the plug, the plug has to talk to
the bolt or the latch to communicate the energy to withdraw or lock the bolt.
So with quick set, this is hollow on one side.
It's square and it's hollow so it will interface on both sides of the door together through
the bolt.
So this is a huge problem.
So this is one of the attacks that we developed on one of their older key and knob cylinders.
This is a special key that we made on the bottom that if we knock out the piece at the
end of the key way so there's a slot, we can go right through that and open the lock.
So ‑‑ Should we run it?
No.
Okay.
So if you stick that in literally in five seconds, this key and knob lock is open.
This is another design.
Toby?
Yeah.
This is an old design.
And actually this is a pin tumbler lock.
They share the same configuration.
But the back was covered by like 20,000 of an inch thick of brass.
So we were just piercing that with an old quick set.
Quick set key that you can get anywhere.
And we put in a piece of wire that was bent to accommodate the cylinder.
Okay.
So this is the newer design.
This is on the quick set smart key.
Okay.
And we're going to show how easy we can access the tailpiece.
You tell us whether you think this is ‑‑ come on.
Whether you think this is secure.
Where's our ‑‑ okay.
This attack on the tailpiece of the quick set smart key and earlier cylinders is based
on the design of the tailpiece by quick set.
It's hollow.
And it's square, which allows us to pierce the cap at the end of the plug and insert
a wire that's been formed to catch the edges of the tailpiece.
Okay.
And turn it.
Okay.
The first thing is to introduce the tool like a regular key.
I'm going to put tension.
And that tension is going to make the side bar block the slider so I can remove the
tool.
And the reason is I need to pull the tool backwards so we can start piercing from the
top.
That's the complicated part.
Okay.
It's just a sharp piece of metal.
Yeah.
That's the complicated part.
Now it's a matter of ‑‑ So you can see the back on one side.
And the seat is just ‑‑ That's it.
So ‑‑ and this is a complicated part that you have to ‑‑
Yeah.
You have to use the pliers.
Yeah.
Yeah.
That's why I let him do it.
Okay.
You know, I always get the complicated parts.
And now we have an opening for a wire.
So now we can access the tailpiece that is attached to that.
And right here, you see, I'm moving the ‑‑ keep going because ‑‑
Yeah.
And that's it.
And that will open the lock.
So ‑‑ So that's it.
You put this.
That's it.
And the lock, there's no damage to the lock.
Your key still works.
So how many of you ‑‑ how many of you still trust your door locks?
Okay.
Next one.
Visual decoding.
We ‑‑ and we didn't show this, but we'll tell you.
You can actually take a little mirror, insert it into the lock.
It takes a little more talent.
And you can read the position of each of the screws.
The sliders.
Okay.
Here's the really good one.
This is ‑‑ as I told Toby, let's just label the slide torqued off.
So this is torquing the plug.
And we actually filed a complaint with the builder's hardware manufacturer's association
a couple years ago.
It was essentially ignored that we didn't think this lock should be certified as a grade
1 lock.
This is the entire security of this lock as far as we're concerned.
These are sliders, as you saw in the diagrams.
The one on the left is normal.
The one on the right has been warped.
You can see it's not straight.
Okay?
And this is also what happens when you stick a screwdriver into the plug of the lock.
Again, it's warped.
The geometry changes.
Yeah.
You know, we said that the lock is going to be as secure as his weakest link.
Yeah.
And if the material is not strong enough, that's the end of it.
We also did some ‑‑ ran some tests.
And we were able to torque this link.
We were able to torque the lock at 112 pound force inches.
The standard actually requires 300.
But their argument was, well, yeah, but you're either sticking a paper clip or a piece of
key, a broken off piece of key into the keyway.
Okay.
There is one element that ‑‑ yeah.
This one element that ‑‑ on the cylinder that when we torque the plug, we have to
introduce a piece of key wire.
Okay.
Because we need to lift that slider that is blocking through the housing.
Because there's three different depths, depth one, the depth two, and the depth three that
it will block the physical slider will block the rotation for that ‑‑ for that thing.
But there is a specific position.
And it doesn't matter which depth is set the slider.
The slider is going to get inside the plug.
So the ‑‑ the only prevent ‑‑ element preventing the cylinder for opening is the
slide.
Okay.
So here's what happens.
Here's the audio.
So that's the smart key.
We just need to ‑‑ that is specific.
Hide.
And we're using a piece of paper clip.
We just ‑‑ That's also the complicated part.
And of course I did that part.
Yeah.
So this is just a standard little screwdriver.
We just seat it into the keyway.
You really don't have to bang on it.
This is a very small vice grip.
This is your door on your house.
Okay.
You see it's already turned.
You can see the plug is already turned.
Okay.
And once it's done, you know, those sliders bend, the plug compresses.
So now the cylinder can go back and forth.
There's no ‑‑ now you have to put that piece there.
And that's the reason why they pass the test on the certification.
To one side?
Because when they test for this lock, they put the screwdriver, they torque it, they
say ‑‑ It's open.
But the cylinder is open right now.
Okay.
Same problem.
No key control.
Plastic keys.
Okay.
This is very impressive.
Okay.
Okay.
That's a MasterCard.
No.
That's Chase.
Oh.
Sorry.
Yeah.
I didn't know.
So then we figured out how to decode the lock because we're going to run out of time.
So basically there's a procedure that we can take six different keys and we can figure
out ‑‑ How to decode it.
Those are the depths of each pin.
But now if we notice that sidebar ‑‑ Okay.
It really doesn't ‑‑ do not engage on the false gates.
So we designed one key that can move ‑‑ basically what we're going to ‑‑ you're
going to see here in this video is that if we can remove the key from the cylinder with
a specific depth, that is an indication that that depth will have the code ‑‑
So I don't think we have time to run this video.
But these are the six keys.
Let me just do part of this.
Okay.
This is going to be decoding the control cylinder on a quick set.
This is the problem with our master key.
We've got depth analysis keys, depth probing keys for each of the six depths that we're
going to probe in rapid order and determine the ‑‑ essentially the gate positions
on each of the sliders.
So let's start with number six.
You just have to put the key in, put a little bit of torque and try to remove the key.
If we cannot remove the key, it's an indication that that thing is not set for that depth.
Okay.
So that's ‑‑ Basically we go through and probe each of
the six sliders.
Okay.
And then once we figure out the code, we generate a key for it in, like, ten seconds.
So we go pin by pin.
We just put the key in that position, try to remove it.
If it can be removed, we record the number that we're using to ‑‑
Yeah.
And so basically Toby goes through, decodes the entire lock, creates a key for it.
So making the control key is we'll wrap this up.
This is their master key scheme.
Yeah.
This is the way that Quicksit takes the approach for the master key system.
This is what they call the key control ‑‑ It's not playing.
No, it's not playing.
It's not playing.
Okay.
Go ahead.
So that cylinder has another cylinder on top.
So that's the scheme that they use.
It's two cylinders because their platform now is so small that they decided, well, I
can have one key for a renter and one key for the user.
The thing is they're so close.
And all this attack also can be performed on their lock that we thought, well, this
is not secure.
It's even more insecure because you don't see the cylinder is on top, that the cover
has to turn so you can expose the other cylinder.
So if you torque the plug or you pierce the plug, you're never going to notice.
And that's something that you as a consumer should know that ‑‑
Yeah.
Here's the bottom line, as we'll sum up.
This is a very clever design lock in certain respects, but it's also extremely insecure
in certain respects.
And so there's really a trade‑off.
And you need to understand when you spend money on locks, it's an insurance policy.
You need to understand that you really do get what you pay for, and it may look secure,
but that, as we've shown you, it doesn't mean that it is.
I think that wraps it up for this DEF CON this year.
We thank you very much for coming, and we hope you enjoyed this.
I'm wondering if they have any questions so far.
Thank you.
Thank you.
